Blit-Tech logo

WiFi Insecurity

A tour of common attacks on WiFi networks

Blit-Tech logo

Information Security Consultant @ Blit-Tech

Software Developer @ Shelter Insurance

Email: nabil@blit.tech

What we are doing

Over of WiFi security standards and issues

Krack a network and read packets

No Physical Access Control

Maybe the only issue that is fundamental to wireless security

Most attacks use this to their advantage

WEP

Don't use this!!

src: http://www.cs.sjsu.edu/~stamp/CS265/projects/Spr05/papers/WEP.pdf

The Core Problem is IV is used incorrectly

Key Reuse with RC4

WPA

Wi-Fi Protected Access

WPA Modes

  • WPA-Personal: Static pre-shared key (aka. password). Most common in homes and coffee shops.
  • WPA-Enterprise: Requires and authentication server, has lots of modes.
  • WPS: Wi-Fi Protected Setup. Uses and 8-digit PIN. Broken, disable if you can.

WPA's Keys

  • PMK: Pairwise Master Key, derived from the password (WPA-Personal) or the EAP parameters.
  • PTK: Pairwise Transient Key, PMK || ANonce || SNonce || AP MAC || Station MAC, used to encrypt traffic
  • GTK: Group Temporal Key, used to encrypt/decrypt broadcast traffic. Generated by the AP

The WPA Handshake

  1. The AP sends a nonce ANonce and a Key Replay Counter to the station.
  2. The station constructs the PTK. The station sends a nonce SNonce, a MIC and the Key Replay Counter to the AP.
  3. The AP verifies message 2 and then sends the GTK and another MIC to the station.
  4. The station verifies the AP's message and sends a confirmation

WPA 3

The Future!

Thank you Mathy Vanhoef

More Secure Handshake

Eliminates offline dictionary attacks and provides forward secrecy using SAE

Replace WPS

A little complicated, but is based on the devices wanting to connect providing a public key to the router

Unauthenticated Encryption

Not sure how this will work, but Opportunistic Wireless Encryption (OWE) is a strong candidate

What wasn't discussed

  • KRACK
  • WPS Pin Brute forcing
  • TKIP Weaknesses
  • Captive Portals
  • Router-specific issues
  • Lesser known issues
  • "Regular" network attacks

Demo Time!